tag:www.schneier.com,2019:/blog//2/tag:www.schneier.com,2014:/blog//2.5199-2019-02-21T00:14:57ZComments for GINSU: NSA Exploit of the DayA blog covering security and security technology.Movable Typetag:www.schneier.com,2014:/blog//2.5199-comment:4467559Comment from Figureitout on 2014-02-14Figureitout
AlanS
--I'm not sure they're the same people, but yeah that guy deserves some air time, his blog and that site has excellent stuff that just happens to be very relevant to me right now (BIOS/DMA research). His blog and that site is going on the next squid post.]]>
2014-02-14T18:55:21Z2014-02-14T18:55:21Ztag:www.schneier.com,2014:/blog//2.5199-comment:4466312Comment from AlanS on 2014-02-14AlanS
@Tom

]]>
2014-02-14T17:51:24Z2014-02-14T17:51:24Ztag:www.schneier.com,2014:/blog//2.5199-comment:4139960Comment from James Sutherland on 2014-02-02James Sutherlandhttp://www.deadnode.org/
Rough guess: BULLDOZER has its own CPU core (ARM Cortex-M3?) and a little bit of RAM+ROM on which a small application like GINSU can run to probe and subvert the host machine in various ways via DMA, like identifying the operating system and installing an OS-specific payload.

Being just a ROM would not fit as well - you'd be too tied to the card you're attaching. Some have optional ROM spaces, some don't - but what size? Voltage? Speed? One NIC will have an empty socket for a 5V boot ROM, the next, a surface-mount 3.3V EEPROM already present - but the PCI bus and sockets are standard: voltage, spacing, pin layout - not too hard for them to have made a replacement PCI socket with a single die wired into the right pins. Nothing too arduous for an outfit with its own chip fab!

Presumably most likely targets will be paranoid enough that even if they suspected a piece of hardware had been subverted, they'd destroy all trace of it rather than let it be analysed publicly, which is a shame. Oh, to get some motherboards and hard drives from the Iranian nuclear programme, or similar...

Something about the status of "has been deployed on many target platforms" for many of these items seems rather disturbing to me.

]]>
2014-02-02T12:01:26Z2014-02-02T12:01:26Ztag:www.schneier.com,2014:/blog//2.5199-comment:4110693Comment from thunker on 2014-02-01thunker
BULLDOZER would not be a PCI card. Understand what the document markings "TS//SI//REL" mean and then think about the problem the NSA is solving.

Any hardware must be highly resistant to detection: logical, physical, and RF.

If it is detected it must be highly resistant to analysis about its origin and purpose.

If its purpose is suspected its origin must be deniable.

BULLDOZER is a 'covert channel' mechanism that interfaces with the PCI bus. It is probably small, simple, and programmable. Reliability must be high, and multiple units exposes the device to detection. I think GINSU is the software or firmware that runs on BULLDOZER. GINSU is capable of installing and checking on the status of KONGUR. It appears that KONGUR is installed on the hard drive and capable of subverting the security mechanisms of Micrsoft Windows Vista. Although the diagram shows a RF link to a field computer, it may not have RF capability.

]]>
2014-02-01T08:21:43Z2014-02-01T08:21:43Ztag:www.schneier.com,2014:/blog//2.5199-comment:4097329Comment from Figureitout on 2014-01-31Figureitout
tom
--Yeah it is nice, had that particular tutorial bookmarked when I get a chance to have a go at this HDD w/ a broken SATA board, or I don't even know. Might have to cut some metal though to get at just some exterior pins.

Also kind of OT, FFT on the RasPi, just saw on hackaday. Pretty sweet:

]]>
2014-01-31T18:04:31Z2014-01-31T18:04:31Ztag:www.schneier.com,2014:/blog//2.5199-comment:4092685Comment from tom on 2014-01-31tom
@clive: 'if you hunt around on the web you will find hobbyists who are hooking up to JTag pins and seeing what's in the chips and in some cases re-programing them.'

Right. Here is quite an amazing tutorial on JTAG hacking of hard drives:

]]>
2014-01-30T23:41:02Z2014-01-30T23:41:02Ztag:www.schneier.com,2014:/blog//2.5199-comment:4079733Comment from Lawrence D’Oliveiro on 2014-01-30Lawrence D’Oliveiro
Judging from the name, this will not be the last...

How many people who aren't either security fiends or builders of their own hardware look inside their computer on a regular basis?

I think we could say even for the few that did they probably would not know what to look for.

And that's the problem, even for those that did look at best all they are going to see is "chip numbers". I'm reasonably sure that the NSA has sufficient resources to re-lable chips.

BUT... if you hunt around on the web you will find hobbyists who are hooking upto JTag pins and seeing whats in the chips and in some cases re-programing them.

I suspect it would not be an overly onerous task to come up with a bit of hardware to clamp onto the required pins and re-flash the chip. It's certainly something I would consider for the more run of the mill cards and hard drives.

I wish it were as dificult as solving the halting problem but it's not.

Without going into all the messy details (some of which are given above by @tom) the process a PCI card has to under go is,

1, either identify the CPU and present low level code or the BIOS has an bytecode interpreter which runs generic F-code.

2, The code fromthe PCI device needs to examine the bootloader and identify the OS.

There are a couple of ways it could do this one of which is to pull in boot sectors etc and "walk the line" till it identifies the OS, one way is to take control of the bootloder through subroutine hooks another is to put in a custom bootloader such as a modified second stage GRUB. If not walking the line it needs some reliable OS identifing method equivalent of looking for "magic numbers". Whilst this may appear dificult to do there are only a limited number of main stream OS's it needs worry about.

What it needs if it cannot identify the OS is to do an ET and call home somehow and send a chunk of code back home for identifing.

Which sugests there may be a defence mechanism for a few smart people one of which is to develop your own PCI code to effectivly act as a BIOS extender with teeth. If you ensure your code is loaded first then you can put in a CLI and control what the other PCI cards do or don't under human control.

One such might be the equivalent of an Inline Media Encryptor, which wipes memory sets up the vector tables etc and then pulls in a section of HD to RAM disk, and decodes it with an operator entered key.

I' sure with a little more thought a working solution could be found, however care has to be excercised otherwise you end up in the old ECM - ECCM - ECCCM game.

]]>
2014-01-30T22:04:03Z2014-01-30T22:04:03Ztag:www.schneier.com,2014:/blog//2.5199-comment:4076334Comment from tom on 2014-01-30tom
Now here's a fellow who actually knows something about persisting malware and PCI buses:

"Initial Program Loader (IPL) Device Primer: The second item of background knowledge you need to know pertains to the IPL device. A RAID controller or other storage controller is an attractive victim for firmware malware because they are IPL devices, as per BIOS boot specification. The BIOS boot specification and PCI specification dictate that IPL device firmware must be executed at boot if the IPL device is in use. IPL device firmware is mostly implemented as PCI expansion ROM. Therefore, IPL device firmware is always executed, assuming the IPL device is in use. This fact opens a path for firmware-level malware to reside in the IPL device firmware, particularly if the malware has to be executed at every boot or on certain trigger at boot.

For more details on IPL device firmware execution, see: https://sites.google.com/site/pinczakko/low-cost-embedded-x86-teaching-tool-2. You need to take a closer look at the boot connection vector (BCV) in the PCI expansion ROM in that article. The system BIOS calls/jumps-into the BCV during bootstrap to start the bootloader, which then loads and executes the OS. BCV is implemented in the PCI expansion ROM of the storage controller device. Therefore, the PERC RAID controller in Dell PowerEdge servers should implement BCV as well to conform to the BIOS boot specification.

We know that PCI expansion ROM initialization is initiated by the motherboard BIOS from the Malicious Code Execution in PCI Expansion ROM article (http://resources.infosecinstitute.com/pci-expansion-rom/). The motherboard BIOS calls the INIT function (offset 03h from start of the PCI expansion ROM) with a far call to start add-on board initialization by the PCI expansion ROM. In the DEITYBOUNCE case, the add-on board is the PERC PCI/PCIe board or the PERC chip integrated with the PowerEdge motherboard"

]]>
2014-01-30T20:10:27Z2014-01-30T20:10:27Ztag:www.schneier.com,2014:/blog//2.5199-comment:4071109Comment from paul on 2014-01-30paul
How many people who aren't either security fiends or builders of their own hardware look inside their computer on a regular basis?]]>
2014-01-30T14:49:43Z2014-01-30T14:49:43Ztag:www.schneier.com,2014:/blog//2.5199-comment:4070534Comment from RonK on 2014-01-30RonK
@ Clive

> Er I think it's more likely to be didn't

Uh, I understand by this that you believe that the NSA has multi-platform attacks (against a large variety of known OSs). I agree that this is likely. When I said "magical" it was because I was talking about attacks which are somehow totally independent of the particular binary form of the OS, so they would work against a highly individualized/polymorphic OS. To solve this general problem would be equivalent to solving the halting problem, I think, no?

]]>
2014-01-30T14:15:32Z2014-01-30T14:15:32Ztag:www.schneier.com,2014:/blog//2.5199-comment:4070483Comment from erm on 2014-01-30erm
@Tony H and Peter

Couldn't it also be an implant embedded in any PCI device? As in, it could come installed in a new PC or they could wait for the target to order any PCI card (new soundcard/USB card/network card, granted they aren't as common as they were years ago), intercept the shipment, and implant BULLDOZER into the PCI card so that the target installs it into his computer himself?

And this has made me think, most of these software attacks were already in the wild either by researchers or cyber-crooks. Which raises the question of just who wrote them...

I'm tending to think traditional NSA staffers did not write these from scratch so either the code base or writers were "imports".

Thus it may be possible to identify the code writers from thos who were having their collars felt by the likes of the Feebies back then and/or attended BlackHat etc...

It might be time to think about "outing" some of them in various ways.

As for the hardware stuff I know certainly similar equipment was available on the open market in the UK back in the 80's&90's because I was designing and selling it as I've mentioned befor on this blog (long before Ed Snowden went to the NSA, and no I've never made it a secret).

For the record UK Agencies like MI5 are not good customers, they talk potential deals and ask for a sample, which they then "Chinese Copy"[1] or give to their favourd partners like Marconi (as was).

The journalist Duncan Campbell [2] has quite a bit to say on this as they served a warrent on his home/office by booting in the door, where they found his "Telephone Tap Detector" that used Time Domain Refectomatry (TDR) and got one of their favoured manufactures to make it for them to use and give to MI6/GCHQ/CIA/NSA...

[1] When the term "Chinese copy" or "Chinese Knock Off" was first coined the "China" it refered to was the Republic of China (ROC) which is now more commonly known as Taiwan.

[2] There are a number of Duncan Campbells associated with newspapers, he was most famously linked with the ABCtrial and Zircon Satelite revelations in the Thatcher era, and later wrote about the effective Colonial Dictatorship in Hong Kong and is linked these days to the "Echelon Report" he did for the EU. http://en.m.wikipedia.org/wiki/Duncan_Campbell_(journalist)

]]>
2014-01-30T13:05:23Z2014-01-30T13:05:23Ztag:www.schneier.com,2014:/blog//2.5199-comment:4068571Comment from Samuel Creshal on 2014-01-30Samuel Creshal
Food for thought: There used to be a lot of PCI devices with unused option ROM ZIF sockets (network cards, e.g.). Guess we now know what those were used for. :-)]]>
2014-01-30T12:26:15Z2014-01-30T12:26:15Ztag:www.schneier.com,2014:/blog//2.5199-comment:4065813Comment from Peter on 2014-01-30Peter
@Tony H, the description says that it requires "one PCI connector (for BULLDOZER installation)", which sounds synonymous with "one PCI slot". It doesn't say "one free PCI connector", though. Maybe BULLDOZER's form factor is a PCI slot, and they unsolder the existing one to replace it?]]>
2014-01-30T09:37:24Z2014-01-30T09:37:24Ztag:www.schneier.com,2014:/blog//2.5199-comment:4063353Comment from RonK on 2014-01-30RonK
@ RobertT

> Even a LiveCD boot is vulnerable to this sort of persistent exploit.

But if you look closely, the revealed OS eavesdropping injection is designed only for Windows, which indicates that the NSA doesn't have magical AI exploits which are platform-independent. This indicates that if we could develop new OSs which are intentionally polymorphic by design, we might be OK.

In the meantime, you might be OK if you ran something OTS, but really esoteric, like Inferno. (Because, in that case, the NSA would probably classify you as a high risk for detecting and revealing their intrusion method). Or, maybe not...

]]>
2014-01-30T07:02:07Z2014-01-30T07:02:07Ztag:www.schneier.com,2014:/blog//2.5199-comment:4058400Comment from n0n3 on 2014-01-29n0n3
Still, i guess we'll have to wait another decade or so for the next snowden to lift the lid on how the government makes use of things like haarp and S-Quad / v2k ]]>
2014-01-30T02:17:47Z2014-01-30T02:17:47Ztag:www.schneier.com,2014:/blog//2.5199-comment:4058105Comment from n0n3 on 2014-01-29n0n3
How many malwares must a cyber-criminal build, before you can call him a cyber-criminal? ^^]]>
2014-01-30T01:58:27Z2014-01-30T01:58:27Ztag:www.schneier.com,2014:/blog//2.5199-comment:4057908Comment from Nick P on 2014-01-29Nick P
@ Andrew Wallace

That's a nonrisk. Without help of blog comments, the NSA managed to subvert hardware, BIOS, peripherals, OS's, middleware, crypto standards, supply chain, emission security, and service providers. So far, they seem to have no obstacles to getting to most American targets systems. That all the secrecy and esoteric knowledge already exists at NSA means theyre years to decades ahead of us.

Open discussion gives us the advantage, not them.

]]>
2014-01-30T01:46:14Z2014-01-30T01:46:14Ztag:www.schneier.com,2014:/blog//2.5199-comment:4057791Comment from Thing on 2014-01-29Thing
From (very rusty) memory, the PCI spec allows for multiple BIOS rom images per device (to support multiple CPU architectures). The BIOS/FW scans for and loads all BIOS ROM extensions during POST so in theory you could use any free space (if there is enough) or swap out any soldered or socketed flash with a larger part. Your device now contains the original BIOS ROM ext + the exploit BIOS ROM ext (with tweaks to the PCI CSRs as appropriate). This would retain the original functionality of the option card and allow the exploit to be loaded during POST.]]>
2014-01-30T01:36:52Z2014-01-30T01:36:52Ztag:www.schneier.com,2014:/blog//2.5199-comment:4057221Comment from Chris Abbott on 2014-01-29Chris Abbotthttp://abbottit.com
I think a good solution to these things would be to have available a SHA-512 hash of the original factory BIOS so that you could find a way to tell if it's been jacked with in transit.]]>
2014-01-30T01:06:02Z2014-01-30T01:06:02Ztag:www.schneier.com,2014:/blog//2.5199-comment:4056687Comment from Brandioch Conner on 2014-01-29Brandioch Conner
The diagram seems to indicate radio transmit/receive. So it is possible that this includes a radio. So maybe a Faraday cage or equivalent.

Or not.

Anyway, the first step here would be detection. Are your supposedly secure systems sending out packets that you cannot account for? Whether over the wire or via radio frequencies.

Beyond that, swap your components on a regular basis. Try to pick the components from a variety of sources. If possible, hand over the old components to people who can take them apart at the chip level. See if they find anything unusual.

]]>
2014-01-30T00:36:27Z2014-01-30T00:36:27Ztag:www.schneier.com,2014:/blog//2.5199-comment:4056301Comment from Moderator on 2014-01-29Moderator
The fellow most recently known as "Spyderman" is a banned user who is most likely having a manic episode. Please don't make the distraction worse by responding. (I would say "please don't encourage him" but I see little evidence he notices what anyone else says.)]]>
2014-01-30T00:16:02Z2014-01-30T00:16:02Ztag:www.schneier.com,2014:/blog//2.5199-comment:4055986Comment from Tony H. on 2014-01-29Tony H.
Interesting that it calls BULLDOZER a "PCI bus hardware implant". Not necessarily something that plugs into a PCI slot (where it would be quite likely to be noticed). I wonder what form factor a BULLDOZER takes, and how it connects to the bus.]]>
2014-01-29T23:54:08Z2014-01-29T23:54:08Ztag:www.schneier.com,2014:/blog//2.5199-comment:4054832Comment from Josh Rubin on 2014-01-29Josh Rubin
Does NSA offer a removal service for misplaced backdoors?

Sort of like unexploded bombs.
]]>
2014-01-29T22:46:59Z2014-01-29T22:46:59Ztag:www.schneier.com,2014:/blog//2.5199-comment:4054560Comment from RobertT on 2014-01-29RobertT
Sure sounds to me like exploit persistence from a PCI card ROM. Trouble is how do you find these problems, removing every installed card, connecting cable, (even motherboard) is hardly practical for an individual let alone a corporation, so what do you do?

Even a LiveCD boot is vulnerable to this sort of persistent exploit.

Sounds like it is game over for security on Windoze or any typical PC based platforms. I guess I should be happy unfortunately I know first hand how insecure Andriod is so there is absolutely nothing to change over too.

]]>
2014-01-29T22:33:59Z2014-01-29T22:33:59Ztag:www.schneier.com,2014:/blog//2.5199-comment:4054408Comment from biteyfeedey on 2014-01-29biteyfeedey
Re: feeding the hand that bites you.

Yes, ideally all of us potential targets would discuss these exploits, without the NSA being privy to those discussion, as then the NSA wouldn't know which ones we've figured out how to defeat.

But, the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them --that makes us at least a little safer than not discussing them at all.

Since realistically, any really productive discussion is going to need enough participants that it probably won't be hidden from the NSA anyway, we should talk in the open.

]]>
2014-01-29T22:24:12Z2014-01-29T22:24:12Ztag:www.schneier.com,2014:/blog//2.5199-comment:4053783Comment from Andrew Wallace on 2014-01-29Andrew Wallace
Any analysis of the exploit(s) within this series of releases should be discussed privately.

Such discussion should be behind closed doors at research institutes and laboratories.

Otherwise, you are feeding the hand that bites you with useful information.

]]>
2014-01-29T21:47:21Z2014-01-29T21:47:21Ztag:www.schneier.com,2014:/blog//2.5199-comment:4053469Comment from Iain Moffat on 2014-01-29Iain Moffat
@Tony and pegr: It also occurs to me that the implant could replace a PCI card expected to be in the machine with one that has been modified - given that the exploit does not mention any particular make and model of PCI-bus computer as a target I expect it will be something generic like an ethernet or graphics card if it is hidden in plain sight that way. ]]>
2014-01-29T21:27:38Z2014-01-29T21:27:38Ztag:www.schneier.com,2014:/blog//2.5199-comment:4053222Comment from pegr on 2014-01-29pegr
Tony:

That could be anywhere on the PCI bus, including the chipset! I'd imagine that could be applied to the physical bus itself, much like installing a "mod chip" on a video game console.

]]>
2014-01-29T21:17:55Z2014-01-29T21:17:55Ztag:www.schneier.com,2014:/blog//2.5199-comment:4053173Comment from pegr on 2014-01-29pegr
For your Oracle link:

"Unless you work for something like a government intelligence agency, though, you shouldn't realistically worry about installing commodity hardware from reputable vendor"

I believe that should be, "Unless you are targeted by a government intelligence agency,..."

LOL!

]]>
2014-01-29T21:15:08Z2014-01-29T21:15:08Ztag:www.schneier.com,2014:/blog//2.5199-comment:4053083Comment from Tony H. on 2014-01-29Tony H.
Interesting that it calls BULLDOZER a "PCI bus hardware implant". Not necessarily something that plugs into a PCI slot (where it would be quite likely to be noticed). I wonder what form factor a BULLDOZER takes, and how it connects to the bus.]]>
2014-01-29T21:10:36Z2014-01-29T21:10:36Ztag:www.schneier.com,2014:/blog//2.5199-comment:4052900Comment from BJP on 2014-01-29BJPhttps://pardydba.wordpress.com/
This sounds very much like an implementation of the PCI device Linux kernel backdoor described in https://blogs.oracle.com/ksplice/entry/hosting_backdoors_in_hardware

Use the expansion ROM capability in the BIOS to execute code from the PCI device prior to reading the MBR, set up interrupt handlers to inject your code into the Windows kernel and have at it. This is probably one of dozens of implementations of this general theme.

And none of it shows up on any malware scan since it's not on disk, anywhere, ever.